Additional Information

Server Security Requirements and References

The following server security requirements apply to Northwestern University hosts that contain NetIDs and passwords. Many of the requirements can also be applied to any host where sensitive data is present, or any host that should be secure.

These standards ensure that all hosts conform to the same set of access control standards, and that Northwestern complies with information security legislation.

The expected compliance date for these requirements is January 1, 2007. Hosts that receive a NetID and password feed are required to comply. Those unable to meet these requirements should apply to NUIT Information and Systems Security/ Compliance for an exemption. Failure to either obtain a specific exemption or meet these requirements could result in the termination of NetID/password feed.

Audience:

Department and group information technology support and information technology security staff.

Statement:

NUIT Information and Systems Security/Compliance encourages administrators to apply as many of these requirements as widely as possible to hosts within a department or unit. These are minimum standards, and where practical for your environment, additional security measures should be considered.

	Requirement / Description	References
1	Disable system restore.	I
2	Guest accounts disabled.	A B C O
3	Remove, disable, or change password of default accounts.	A B C D O
4	Port Reporter or similar system installed and active.	G
5	Hosts should either automatically disable local accounts or attacking hosts for a period of not less than two minutes after 15 authentication failures in a rolling five minute window.	A B C D O
6	All local and domain accounts with privileges above normal user level must have a minimum 15 character passphrase and must be changed at least once every quarter.	A B C D O
7	No open, non-authenticated file sharing may be enabled.	E
8	Software and OS patches installed as soon as practical for your environment.	A B C D O
9	Remove LM Hash.	F
10	Clock must be automatically synchronized to a recognized time server.	A B C L O
11	Unused services should be disabled.	A B C D H K O
12	Encrypted backups should be taken regularly, and all on/off site storage should be physically secure.
13	Auditing enabled, with a minimum of login success and failure.	A B C O
14	Mandatory audit log monitoring program or procedure.	D
15	Audit the use of all privileged accounts. This auditing should include the read and write access performed by these accounts.	A B C D O
16	OS that is not older than one minor release, or service pack, from the current release.	A B C D H O
17	Machines may not be connected to the network until they have had the latest OS and application updates applied, anti-viral software installed and activated, firewall enabled, and a strong passphrase enabled on all accounts.	A B C D H K O
18	Remote access software must be disabled or restricted to specific IP addresses by default. It can be temporarily enabled on a case-by-case basis by authorized personnel. Only software that supports end-to-end encryption should be used for this purpose.
19	Appliance based firewall required. If a host based firewall option is available, consider using it in addition to the appliance.	M
20	Encrypt sensitive data (recommendations currently in development).	N O
21	Defined process for approval, acceptable use, and removal of system privileges.
22	Housed at University data center or similar setup.
23	Systems (servers) with a NetID feed may not be used for multiple purposes. Exceptions require approval of NUIT-ISS/C.

References

A) Windows Server Security Guides

Microsoft: Windows Server 2003 Security Guide

Active Directory Security Technical Implementation Guide, Department of Defense (PDF)

Microsoft: Windows Server 2003 Security Guide Overview

Microsoft: The Threats and Countermeasures Guide

Microsoft: Group Policy Settings Reference

Security Library: Windows 2003 / IIS 6.0 DMZ Hardening Guidelines

Information Assurance Support Environment Windows 2003 Checklist Version 5

B) Windows XP Security Guides

Microsoft: Windows XP Security Guide

NIST: Guidance for Securing Microsoft Windows XP Systems

NIST: Guidance for Securing Microsoft Windows XP Home Edition

National Security Agency: Guide to Securing Microsoft Windows XP (PDF)

C) Unix Security Guides

Defense Information Systems Agency: UNIX Technical Implementation Guide (Doc)

CERT Coordination Center: UNIX Security Checklist v2.0

NIST: Guide to Computer Security Log Management (PDF)

AusCERT UNIX and Linux Security Checklist

D) NIST Security Guides

NIST: DISA Security Technical Implementations Guides (STIGs)

NIST: Minimum Security Requirements for Federal Information and Information Systems (PDF)

NIST: Security Self-Assessment Guide for Information Technology Systems (PDF)

NIST: Risk Management Guide for Information Technology Systems (PDF)

NIST: Guidelines for Media Sanitization (PDF)

NIST: Electronic Authentication Guideline (PDF)

E) MS Articles on File Sharing — How to enable simple file sharing

Microsoft: How to configure file sharing in Windows XP

Microsoft: Security considerations when implementing clustered file shares

F) Removing the LM Hash

Microsoft: How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

G) Port Reporter

Microsoft: Availability and description of the Port Reporter tool

H) Microsoft Baseline Security Analyzer

Microsoft: Microsoft Baseline Security Analyzer

I) Symantec AntiVirus

NUIT: Download SAV from NUIT

Symantec AntiVirus Corporation

J) Spybot Search and Destroy

NUIT: Install Spybot

K) CERT-CC

Before You Connect a New Computer to the Internet

L) NIST

NIST Internet Time Servers

M) NUIT Firewall Strategy Guide

Firewall Strategies (PDF)

N) Encryption

An official Northwestern University encryption recommendation is in development.

PGP Corporation

International PGP Home Page

The GNU Privacy Guard

Microsoft: The Encrypting File System

Microsoft: Encrypting File System in Windows XP and Windows Server 2003

Microsoft: Choose the File System That Suits Your Needs

O) Windows Vista Security Guides

Microsoft: Windows Vista Security Guide

Original Issue Date:

August 2006

Additional Information

Server Security Requirements & References - 08/31/2006

Last Updated: 27 March 2008


		Services \| Get Connected \| Support \| Academic Resources \| About NUIT Students \| Staff/Faculty \| Visitors/Media \| Site Map \| Online Directory Northwestern Home \| Northwestern Calendar: Plan-It Purple \| Northwestern Search Information Technology 1800 Sherman Avenue Evanston, Illinois 60201 E-mail: webmaster@northwestern.edu World Wide Web Disclaimer and University Policy Statements © 2008 Northwestern University